[mod-security-users] CRS security releases covering several CVEs
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] CRS security releases covering several CVEs
|
From: Christian F. <chr...@ne...> - 2022-09-21 05:59:00
|
Dear all, Following ModSecurity's security releases earlier this month, we have followed suite and updated the stable CRS v3.2 and CRS v3.3 release branches as well. https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ (Unfortunately, we also released a bug, so we had to followup with 3.3.4 and 3.2.3 immediately. Details in the blog.) These two updates cover for several partial rule set bypasses: CVE-2022-39955 – Multiple charsets defined in Content-Type header CVE-2022-39956 – Content-Type or Content-Transfer-Encoding MIME header abuse CVE-2022-39957 – Charset accept header field resulting in resp rule set bypass CVE-2022-39958 – Small range header leading to response rule set bypass Outside of these CVE-worthy fixes, there are a handful of security fixes that are of slightly lower severity. Please be aware that the fix to CVE-2022-39956 depends on the update of ModSecurity to the versions 2.9.6 or 3.0.8. Best regards, Christian Folini, OWASP ModSecurity Core Rule Set co-lead -- Ultimately, motivation gets us started, but discipline and habit are what enable us to finish. -- Matthew Helmke |
